SOX

Sarbanes-Oxley (SOX) Security & Compliance

One of the most important elements of SOX compliance is providing evidence that the financial applications and supporting systems and services are adequately secured to ensure that financial reports can be trusted (SOX Section 404). This includes requirements for documentation that proves appropriate security policies and practices are in compliance.

SOX does not provide direct guidance on what it means to comply. Instead, it refers to the Committee of Sponsoring Organizations (COSO), and its accompanying control framework as a method to achieve compliance.

The COSO framework is designed to provide a model that corporations can use to run an efficient and well controlled financial environment. The COSO framework recognizes that IT requires a dedicated governance framework like COBIT (Control Objectives for IT) and standards for security policy and practice like ISO 17799.

COBIT’s control objectives provide IT with specific guidance on the goals they need to achieve in areas like change control, access control and monitoring in order to comply with SOX. However, not every control objective in COBIT is required for SOX. The most critical SOX-related COBIT controls are found in the Delivery and Support, and Monitoring sections, and deal with change control, provisioning and monitoring. These sections define the following objectives: Ensure systems security; Assess internal control adequacy; Obtain independent assurance; and Provide for independent audit.

ISO17799, an international security code of practice, provides examples of good security practices, many of which correspond to COBIT objectives. IT organizations can use COBIT as an overall governance framework and ISO as a guide to implementing policies and practices for security in general, and SOX required activities in particular.

Businesses can compare their policies, procedures and practices to those required by COBIT and described in ISO17799 with Spohn’s NetAUDIT ISO17799 Security Assessment. This assessment will tell how effective these controls are in their environment Guidance and recommendations are provided to help determine how closely an organization needs to match the strict controls described in ISO17799 relative to the company’s interpretation of SOX requirements.

Many organizations are competent when running their businesses and IT operations, but do not document their policies, procedures, changes and authorization workflows to the degree SOX compliance requires. Spohn assists companies in creating and maintaining this documentation through ISO 17799 security assessments.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>